3. International Congress and Convention Association #ICCAWorld
Comments from
speakers
Questions/Discussion One action
Process
4. International Congress and Convention Association #ICCAWorld
Simon Dufaur
Head of Strategy, Innovation & Consulting
MCI Benelux
5. International Congress and Convention Association #ICCAWorld
Paul Harris
Senior Solutions Consultant
Aventri
6. G D P R
6 M o n t h s O n
Nothing presented herein is intended to consitute legal advice.
Simon Dufaur - ICCA Congress, Dubai 12.10.18
7.
8. 1890 20181995198119501948
2010s2000s1990s1980s
Intelligence EraCloud EraSoftware EraHardware Era
Regulation
GDPR
EC Directive
95/46/EC
The Convention for the
Protection of Individuals
is considerably outpaced by Technology
The European Convention of
Human Rights
The Universal Declaration of
Human Rights
The Right to Privacy
(Harvard Law Review Vol. 4, No. 5)
9.
10. 87 millionthe number of users whose personal information
was harvested without their permission
Facebook
Cambridge Analytica
11. 2007
2010
2013
2014
2015
2017
25 50 75 100 125 150 175 200 225 250 275 300
TK/TJ MAXX
Sony PlayStation
Yahoo! x10 !!
Ebay
Anthem
Equifax
DATA
the new oil
but it is not always that safe
Data records compromised, stolen or lost
Select examples
(in M of records)
14. Not the power to remember, but its very opposite
the power to forget, is a necessary
condition for our existence.
Sholem Asch
15. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
The aim of GDPR is to protect individuals
1
2 3
4
5
6
7
Source: GDPR: Article 5
16. DPIA
Carry out a mapping and a risk
assessment
Privacy by design
Make data protection a business-as-usual
process and do so at the beginning of any
project or process development.
Records
Protect data through tools such as
pseudonymisation and maintain a record
of data-processing activities.
A F E W B E S T P R A C T I C E S
What does this mean in practice?
17. Third-parties
Require vendors and suppliers
to protect personal data and
monitor that they do so. Check
if liability is apportioned as well.
Legal basis
Verify that you have the legal basis (e.g.
consent) and record it. Appoint a DPO to
own of compliance.
Training
Invest in staff training (also client and
supplier) and test SOPs.
A F E W B E S T P R A C T I C E S
What does this mean in practice?
18. Public Scrutiny
Operations and Finance
departments most severely
affected
Lose customers
Most of these companies will lose
in excess of one customer in five
Lose revenue
Average
organisational cost
When it goes
wrong…
it can be
devastating
€20 million
or
4% of worldwide turnover
50% 22%
29% US$ 3.62m
19. No fines yet.
What’s
happened
so far?
Privacy notices are more transparent and
consent forms more robust.
People are exercising their rights more
than before.
Regulators have been flooded with breach
notifications.
Number of complaints has increased.
20. 1
Momentum
Try to maintain the internal GDPR
compliance momentum,
awareness, training and
management support that existed
immediately prior to 25.05.18.
2
Refine internal processes
3
External monitoring
Steps you should be taking now
Conduct practical testing, get honest
feedback from frontline team
members, complete pre-May GDPR
checklist, and change what doesn’t
work in order to improve compliance.
Keep abreast of regulatory
developments such as ePrivacy
regulations, Privacy Shield, Brexit
and Schrems (EU-US data flows
ruling).
22. International Congress and Convention Association #ICCAWorld
Simon Dufaur
• MCI Benelux
Paul Harris
• Aventri
23. 1
Momentum
Try to maintain the internal GDPR
compliance momentum,
awareness, training and
management support that existed
immediately prior to 25.05.18.
2
Refine internal processes
3
External monitoring
Steps you should be taking now
Conduct practical testing, get honest
feedback from frontline team
members, complete pre-May GDPR
checklist, and change what doesn’t
work in order to improve compliance.
Keep abreast of regulatory
developments such as ePrivacy
regulations, Privacy Shield, Brexit
and Schrems (EU-US data flows
ruling).
24. International Congress and Convention Association #ICCAWorld
Data Protection: 150 Days after GDPR
Thank you!
25. Simon Dufaur
Head of Strategy, Innovation & Consulting
Nothing herein is intended to consitute legal advice.
27. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
Data should only be processed where there is a
lawful basis for such processing (e.g. consent,
contract, etc.)
Data subjects should receive sufficient information
from the data processor about the processing and a
means to exercise their rights
The information provided to data subjects should be
concise and easy-to-understand.
28. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
Personal data must
be collected only for
specific, explicit and
legitimate purpose.
29. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
The processing of personal data should be
adequate, relevant and limited to the what is
necessary to fulfil the purposes for which the
data is used.
30. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
Data should be accurate
and kept up to date
31. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
Data should not be held
in a format that permits
personal indentification
any longer than
necessary
32. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
Security and protection
against unlawful
processing, accidental
loss, damage and
destruction should be
ensured
33. Lawfulness, Fairness & Transparency
Purpose
limitation
Data
minimisation
Accuracy
Storage
limitation
Security
Accountability
The Data Controller is
responsible for
demonstrating
compliance.